Tox.im

rysiek rysiek@hackerspace.pl
Tue Feb 3 08:13:02 PST 2015


Yo,

don't you die on me!

Lately I started testing Tox, it's actually usable, voice and video, and file 
transfers work, it looks neat. Question is (to quote Tolkien, whom I'm sure we 
all love and cherish):
"Is it secret? Is it safe?"

So we have this:

Dnia sobota, 5 lipca 2014 22:36:50 stef pisze:
> afaics there's a traffic analysis weakness in all messages, it discloses
> both public keys of the peers in public:
> https://github.com/irungentoo/toxcore/blob/master/docs/updates/Crypto.md#cry
> pto-request-packets

We also have a brave soul (not me) that attemted writing proper protocol 
documentation for Tox, and started diving into the code. The docs seem 
lacking, the only things we've been able to find are:
 https://github.com/irungentoo/toxcore/tree/master/docs
 https://jenkins.libtoxcore.so/job/Technical_Report/lastSuccessfulBuild/artifact/tox.pdf/

Not *that* helpful, but look at the Crypto section in the PDF:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Tox uses crypto_box() from the NaCl crypto library for all the cryptography
in Tox. Unless otherwise noted, all keys refer to keys generated with
crypto_box_keypair(), all encryption is done with crypto_box() and all 
decryption
with crypto_box_open(). For performance purposes the functions to
precompute the shared secret and encrypt and decrypt messages with it are
used extensively in Tox; however, this is not relevant to this document.
The function crypto_box() provides fast public-key authenticated encryption.
For exactly how it works read the NaCl docs.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Hmmm...

So, the brave RFC-writing soul got some questions. Maybe somebody here has 
access to some answers? Questions being:

 - does the transport layer have encryption? (does the middle layer do that 
all or...?)
 - where is the documentation of the cryptography?
 - is there any hmac done at all?
 - what is the tox id for a seed with all 0?
 - how does the tox implementation handle different byte alignment?
 - how does the tox implementation handle different byte endiness?
 - how well stressed is the tox implementation? benchmarks?
 - where is the rest of the documentation? 
 - where can I find a full view of how tox works from bottom to top?

Anybody?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: This is a digitally signed message part.
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20150203/11db8685/attachment.sig>


More information about the cypherpunks mailing list